Failure Audits in XP Events Security log

[Gary Karasik]

Hi,

I hope this is the correct place to post this:

I have several clients with SBS2003 networks consisting of XP/SP1 clients.
All of the XP clients are showing lots of Failure Audits in the Security
Event logs. They are all similar to the following, although some specify
LSASS, some SPOOLSV, some SVCHOST. EventID.NET suggests turning off the
Firewall Service, but turning the Firewall Service off causes the Computer
Browser Service to shut down, so that's not a happy option.

I tried adding LSASS and SPOOLSV to the Exception list, but that didn't stop
the failure audits.

Can anyone tell me hot to fix this?

GaryK

---------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2/2/2005
Time: 8:46:17 PM
User: NT AUTHORITY\SYSTEM
Computer: JOSHUA
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\SYSTEM32\lsass.exe
Process identifier: 688
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3794
Allowed: No
User notified: No

 

[JW]

Hi,

I hope this is the correct place to post this:

I have several clients with SBS2003 networks consisting of XP/SP1 clients.
All of the XP clients are showing lots of Failure Audits in the Security
Event logs. They are all similar to the following, although some specify
LSASS, some SPOOLSV, some SVCHOST. EventID.NET suggests turning off the
Firewall Service, but turning the Firewall Service off causes the Computer
Browser Service to shut down, so that's not a happy option.

I tried adding LSASS and SPOOLSV to the Exception list, but that didn't stop
the failure audits.

Can anyone tell me hot to fix this?

GaryK

---------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Detailed Tracking
Event ID: 861
Date: 2/2/2005
Time: 8:46:17 PM
User: NT AUTHORITY\SYSTEM
Computer: JOSHUA
Description:
The Windows Firewall has detected an application listening for incoming
traffic.
Name: -
Path: C:\WINDOWS\SYSTEM32\lsass.exe
Process identifier: 688
User account: SYSTEM
User domain: NT AUTHORITY
Service: Yes
RPC server: No
IP version: IPv4
IP protocol: UDP
Port number: 3794
Allowed: No
User notified: No

for those PCs behind a hardware gateway/NAT/firewall, the XP software
firewall would normally not be needed, but i don't know what the
Computer Browser Service is for.

for other users, i would recommend turning off auditing of the category
named "Detailed Tracking". my event log was also drowning in thousands
of these lines, and i am a user of a single, non-network PC. the only
alternative, which has dangerous consequences, is to allow all those
applications to listen and respond to all incoming network traffic.

 

[Gary Karasik]

Thanks, JW,

Responses in line:

for those PCs behind a hardware gateway/NAT/firewall, the XP software
firewall would normally not be needed, but i don't know what the Computer
Browser Service is for.

On a network, the Computer Browser service allows computers to see and work
with each other. Some people advocate using the firewall internally in case
a PC behind the firewall somehow gets infected. The theory is that the
firewall would help protect PCs inside the network from each other.

for other users, i would recommend turning off auditing of the category
named "Detailed Tracking". my event log was also drowning in thousands of
these lines, and i am a user of a single, non-network PC. the only
alternative, which has dangerous consequences, is to allow all those
applications to listen and respond to all incoming network traffic.

Yes, I could turn off auditing, but I want to understand why I'm getting
these failure audits.

GaryK